search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.98k stars 4.19k forks source link

pkiCert not rendering key or ca #16585

Closed rgruyters closed 2 years ago

rgruyters commented 2 years ago

Describe the bug A clear and concise description of what the bug is.

When using pkiCert for Vault Agent templates the certificate is generated, but not the keys nor CA.

To Reproduce Steps to reproduce the behavior:

  1. Add below template to a template file (e.g.) test_cert.ctmpl
  2. Add template stanza to the Vault Agent config
  3. Restart Vault Agent

test_cert.ctmpl

{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org"   -}}
{{ .Data.Cert }}
{{ .Data.Key }}
{{ .Data.CA }}
{{ end -}}

Validating the certificate:

grep -e BEGIN -e END /etc/ssl/test.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Expected behavior A clear and concise description of what you expected to happen.

Expected output:

grep -e BEGIN -e END /etc/ssl/test.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Environment:

Vault Server: Ubuntu 20.04 Vault Agents: Ubuntu 18.04 and Ubuntu 20.04

Vault server configuration file(s):

exit_after_auth = false

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path   = "/etc/vault.d/.vault_agent_role_id"
      secret_id_file_path = "/etc/vault.d/.vault_agent_secret_id"
      remove_secret_id_file_after_reading = false
    }

  }

  sink "file" {
    config = {
      path = "/var/tmp/vault_agent_sink_file"
    }

  }

}

vault {
  address = "https://vault.<REDACTED>:8200/"
}

template {
  source = "/etc/vault.d/templates/test_cert.ctmpl"
  destination = "/etc/ssl/test.crt"
  perms = "0644"
  command = ""
  command_timeout = "30s"
}

Additional context Add any other context about the problem here.

kitography commented 2 years ago

Super weird! This looks like it was fixed here: https://github.com/hashicorp/consul-template/pull/1591

Before I transfer you over to the consul-template project, could you share what version of that you are using?

rgruyters commented 2 years ago

I'm not using consul-template, but Vault Agent. Version of Vault (both server and Agent) are running 1.11.2.

schultz-is commented 2 years ago

Howdy @rgruyters! I'm able to reproduce this issue as you describe. It is likely either an issue in consul-template (which Vault agent uses for templating,) or an issue with our documentation.

In the meantime, could you verify that removing the .Data prefix from the template items produces the expected output? With any luck that'll get you unstuck while we investigate the root cause.

e.g.

{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}
rgruyters commented 2 years ago

I have tested it and works as aspected, but I noticed a different issue when I use writeToFile and add a second template stanza, it only writes the certificate file for the second template.

templates without writeToFile:

{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=test.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}

Start Vault Agent with single template stanza.

template {
  source = "./test_cert.ctmpl"
  destination = "./test.pem"
  perms = "0644"
  command = ""
  command_timeout = "30s"
}
grep -e BEGIN -e END *.pem
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN RSA PRIVATE KEY-----
test.pem:-----END RSA PRIVATE KEY-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----

Add second template stanza and restart Vault agent.

template {
  source = "./foo_cert.ctmpl"
  destination = "./foo.pem"
  perms = "0644"
  command = ""
  command_timeout = "30s"
}
grep -e BEGIN -e END *.pem
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
foo.pem:-----BEGIN RSA PRIVATE KEY-----
foo.pem:-----END RSA PRIVATE KEY-----
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN RSA PRIVATE KEY-----
test.pem:-----END RSA PRIVATE KEY-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----

I have cleared everything and updated the templates with writeToFile.

{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=test.test.example.org" -}}
{{ .Cert }}
{{ if .Key -}}
{{ .Key | writeToFile "./test.key" "root" "root" "0640" -}}
{{ end -}}
{{ end -}}
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ if .Key -}}
{{ .Key | writeToFile "./foo.key" "root" "root" "0640" -}}
{{ end -}}
{{ end -}}

Removed the second template stanza and restart the Agent again.

grep -e BEGIN -e END *.{pem,key}
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.key:-----BEGIN RSA PRIVATE KEY-----
test.key:-----END RSA PRIVATE KEY-----

Added second template to the Vault Agent config and restart the Agent.

grep -e BEGIN -e END *.{pem,key}
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.key:-----BEGIN RSA PRIVATE KEY-----
test.key:-----END RSA PRIVATE KEY-----

I have tried to remove the if statement but it just writes an empty file.

schultz-is commented 2 years ago

We pulled in an updated version of consul-template with #16764 and #16775 that should fix both of these reported issues. Thanks for the reports @rgruyters!